📊 Full opportunity report: AI Sovereignty Standards Under Scrutiny: The 24% Rule Analysis on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
European AI sovereignty standards include a unique 24% ownership cap to ensure legal control. This rule is under scrutiny as providers adapt through joint ventures, raising questions about its effectiveness and future impact.
The 24% ownership cap in France’s SecNumCloud framework is drawing increased attention as providers and regulators debate its effectiveness in ensuring European legal sovereignty. This rule, which limits foreign ownership to 24% per entity, is a core component of the legal sovereignty requirement, and its application is shaping the future of European cloud and AI regulation.
The SecNumCloud qualification, issued by France’s ANSSI, includes a 24% ownership threshold designed to prevent non-EU control over sensitive cloud services. This arithmetic-based ownership cap is distinctive among European standards, emphasizing legal sovereignty over mere security practices.
As of mid-2026, about ten providers, including OVHcloud, Outscale, and Scaleway, have obtained active SecNumCloud qualifications, with several more in progress. Major US-based hyperscalers like AWS remain ineligible for direct certification but have created joint ventures—such as Thales-Google S3NS and Capgemini-Orange Bleu—that comply with the 24% ownership rule. These arrangements allow foreign control through structured ownership while maintaining compliance with the sovereignty standard.
Experts note that the 24% rule is a blunt instrument, as it relies on ownership arithmetic rather than control or influence, raising questions about its actual effectiveness in guaranteeing legal sovereignty. The rule is also considered brutally difficult to achieve, with scalingo’s CEO comparing it to a level 10 difficulty on a 1-10 scale, compared to ISO 27001’s level 1.
The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty
ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.
C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.
Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.
The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.
Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.
Implications of the 24% Ownership Cap for European Cloud Control
The 24% ownership rule is central to Europe’s efforts to secure legal sovereignty over critical AI and cloud infrastructure. Its application influences how foreign companies participate in the European market, potentially shaping ownership structures and control mechanisms. As providers adapt through joint ventures, the debate intensifies over whether arithmetic caps effectively prevent foreign influence or merely create legal workarounds.
This regulation impacts not only provider compliance but also the broader geopolitical landscape, as it tests the limits of sovereignty in a digital economy increasingly dominated by US and Chinese tech giants. The ongoing discussions may lead to regulatory refinements or new standards that better address control versus ownership issues, with significant implications for European data security and market independence.
European cloud sovereignty certification
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
European Sovereignty Frameworks and the Rise of the 24% Rule
The concept of digital sovereignty in Europe has gained momentum, with frameworks like SecNumCloud and EUCS emphasizing legal control over data and infrastructure. Since 2016, France’s ANSSI has developed SecNumCloud, which uniquely combines security controls with legal sovereignty requirements, including strict ownership caps.
The 24% ownership rule emerged as a key measure to prevent non-EU entities from exerting disproportionate influence over cloud providers handling sensitive data. While other standards, like Germany’s C5, focus on controls and transparency, SecNumCloud’s arithmetic cap explicitly targets ownership and control.
Major US cloud providers are ineligible for direct SecNumCloud certification, prompting them to form joint ventures with European firms to circumvent the ownership limit, raising questions about the rule’s effectiveness and enforcement.
“Achieving compliance with the 24% rule is like a level 10 challenge—far more complex than traditional security standards—and it requires innovative ownership arrangements.”
— Scalingo CEO
Unclear Effectiveness and Future Regulatory Adjustments
While the 24% ownership rule is operational, its long-term effectiveness in preventing foreign influence remains uncertain. Critics argue that structured ownership through joint ventures could undermine the rule’s intent, and there is ongoing debate about whether control should be measured differently. It is also not yet clear how regulators will respond if widespread ownership circumventions become prevalent or if new legal challenges emerge.
Next Steps in European Sovereignty and Regulatory Evolution
Regulators and industry stakeholders are expected to closely monitor the implementation and enforcement of the 24% ownership rule. Discussions about potential regulatory refinements or new standards are likely, especially as more providers seek SecNumCloud certification. Additionally, the European Commission may consider legislative updates to address emerging circumvention strategies, with a focus on control and influence rather than just ownership.
In parallel, US and Chinese tech firms will continue to adapt through joint ventures and ownership structures, highlighting the ongoing tension between sovereignty goals and market participation.
Key Questions
What is the purpose of the 24% ownership rule in SecNumCloud?
The rule aims to prevent non-EU entities from exerting disproportionate legal control over cloud providers handling sensitive data, thereby ensuring European sovereignty.
Can foreign companies still participate in European cloud services under this rule?
Yes, through joint ventures or ownership structures that keep individual foreign ownership below 24%, foreign companies can participate while complying with the sovereignty standard.
Does the 24% rule fully guarantee legal sovereignty?
Not necessarily. Critics argue that structured ownership can circumvent the rule, and the effectiveness of the cap depends on enforcement and potential regulatory updates.
How does SecNumCloud differ from other standards like C5?
SecNumCloud incorporates an arithmetic ownership cap for sovereignty, whereas standards like C5 focus on controls and transparency. C5 does not prevent foreign control but requires disclosure of jurisdiction.
Source: ThorstenMeyerAI.com